<!doctype html>
<html lang="en-US" class="no-js">
<head>
<meta charset="UTF-8">
<title>FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet - Check Point Research</title>
<meta class='swiftype' name='popularity' data-type='integer' content='4'/>
<link href="//research.checkpoint.com/wp-content/themes/research/img/icons/favicon.ico" rel="shortcut icon">
<link href="//research.checkpoint.com/wp-content/themes/research/img/icons/touch.png" rel="apple-touch-icon-precomposed">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="Latest Research by our Team">
<!-- Google Tag Manager -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-5JCRGP');</script>
<!-- End Google Tag Manager -->
<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO plugin v17.8 - https://yoast.com/wordpress/plugins/seo/ -->
	<link rel="canonical" href="https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet - Check Point Research" />
	<meta property="og:description" content="Research By: Omer Ventura, Ori Hamama, Network Research Introduction Recently, Check Point Research encountered several attacks that exploited multiple vulnerabilities, including some that were only recently published, to inject OS commands. The goal behind the attacks was to create an IRC botnet, which can later be used for several purposes, such as DDoS attacks or... Click to Read More" />
	<meta property="og:url" content="https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/" />
	<meta property="og:site_name" content="Check Point Research" />
	<meta property="article:published_time" content="2021-01-19T10:58:54+00:00" />
	<meta property="article:modified_time" content="2021-01-26T10:57:16+00:00" />
	<meta property="og:image" content="https://research.checkpoint.com/wp-content/uploads/2021/01/LinuxCVEs_blog_header.jpg" />
	<meta property="og:image:width" content="1021" />
	<meta property="og:image:height" content="580" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Ori Hamama" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="14 minutes" />
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//code.jquery.com' />
<link rel='dns-prefetch' href='//use.fontawesome.com' />
<link rel='stylesheet' id='wp-block-library-css'  href='//research.checkpoint.com/wp-includes/css/dist/block-library/style.min.css?ver=5.8.2' media='all' />
<link rel='stylesheet' id='research-css'  href='//research.checkpoint.com/wp-content/themes/research/style.css?ver=1.29' media='all' />
<link rel='stylesheet' id='bootstrap_css-css'  href='//research.checkpoint.com/wp-content/themes/research/css/bootstrap.min.css?ver=4.1' media='all' />
<link rel='stylesheet' id='flickity-css'  href='//research.checkpoint.com/wp-content/themes/research/css/flickity.min.css?ver=1.1' media='all' />
<link rel='stylesheet' id='fa-css'  href='https://use.fontawesome.com/releases/v5.6.3/css/all.css?ver=5.6.3' media='all' />
<link rel='stylesheet' id='enlighterjs-css'  href='https://research.checkpoint.com/wp-content/plugins/enlighter/cache/enlighterjs.min.css?ver=TJ0/7+iAWMKbDKS' media='all' />
<script type='text/javascript' src='https://code.jquery.com/jquery-3.4.0.min.js?ver=5.8.2' id='jquery-js'></script>
<script type='text/javascript' src='//research.checkpoint.com/wp-content/themes/research/js/lib/bootstrap.bundle.min.js?ver=4.1' id='bootstrap_js-js'></script>
<script type='text/javascript' src='//research.checkpoint.com/wp-content/themes/research/js/lib/flickity.pkgd.min.js?ver=1.0.1' id='flickity-js'></script>
<script type='text/javascript' src='//research.checkpoint.com/wp-content/themes/research/js/single-post.js?ver=1.0.4' id='post-js'></script>
<!-- Stream WordPress user activity plugin v3.8.2 -->
      <meta name="onesignal" content="wordpress-plugin"/>
            <script>

      window.OneSignal = window.OneSignal || [];

      OneSignal.push( function() {
        OneSignal.SERVICE_WORKER_UPDATER_PATH = "OneSignalSDKUpdaterWorker.js.php";
                      OneSignal.SERVICE_WORKER_PATH = "OneSignalSDKWorker.js.php";
                      OneSignal.SERVICE_WORKER_PARAM = { scope: "/" };
        OneSignal.setDefaultNotificationUrl("//research.checkpoint.com");
        var oneSignal_options = {};
        window._oneSignalInitOptions = oneSignal_options;

        oneSignal_options['wordpress'] = true;
oneSignal_options['appId'] = '3ba17c77-81bb-4a83-8917-7b62de3d6e22';
oneSignal_options['allowLocalhostAsSecureOrigin'] = true;
oneSignal_options['welcomeNotification'] = { };
oneSignal_options['welcomeNotification']['disable'] = true;
oneSignal_options['path'] = "https://research.checkpoint.com/wp-content/plugins/onesignal-free-web-push-notifications/sdk_files/";
oneSignal_options['safari_web_id'] = "web.onesignal.auto.45da02f8-0e2a-491b-9d85-c6fbaf55a283";
oneSignal_options['promptOptions'] = { };
                OneSignal.init(window._oneSignalInitOptions);
                OneSignal.showSlidedownPrompt();      });

      function documentInitOneSignal() {
        var oneSignal_elements = document.getElementsByClassName("OneSignal-prompt");

        var oneSignalLinkClickHandler = function(event) { OneSignal.push(['registerForPushNotifications']); event.preventDefault(); };        for(var i = 0; i < oneSignal_elements.length; i++)
          oneSignal_elements[i].addEventListener('click', oneSignalLinkClickHandler, false);
      }

      if (document.readyState === 'complete') {
           documentInitOneSignal();
      }
      else {
           window.addEventListener("load", function(event){
               documentInitOneSignal();
          });
      }
    </script>
<link rel="amphtml" href="https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/amp/"><script src="//research.checkpoint.com/wp-content/themes/research/header/inc-header.js?v=1.1"></script>
<link rel="stylesheet" href="//research.checkpoint.com/wp-content/themes/research/header/style.css">
<link href="https://fonts.googleapis.com/css?family=Roboto" rel="stylesheet">
</head>
<body class="single">
<!-- Google Tag Manager (noscript) -->
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-5JCRGP" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager (noscript) -->
<header id="inc-header">
    <div id="inc-top-nav">
        <div class="inc-wrapper">
            <ul>
                <li><a href="https://www.checkpoint.com">CheckPoint.com</a></li>
                <li><a href="https://www.facebook.com/checkpointresearch/"><img src="//sc1.checkpoint.com/sc1/inc/html/images/social/facebook.gif" alt="Facebook" /></a></li>
                <li><a href="https://plus.google.com/+checkpoint/posts"><img src="//sc1.checkpoint.com/sc1/inc/html/images/social/google-plus.gif" alt="Google Plus" /></a></li>
                <li><a href="https://www.linkedin.com/company/check-point-software-technologies"><img src="//sc1.checkpoint.com/sc1/inc/html/images/social/linkedin.gif" alt="LinkedIn" /></a></li>
                <li><a href="/cdn-cgi/l/email-protection#18276c77253e6b6d7a727d7b6c254a7d6b7d796a7b70365b707d7b73487771766c367b77753e7a777c61255b707d7b73776d6c3d2a286c707d3d2a2874796c7d6b6c3d2a286a7d6b7d796a7b703d2a2877763d2a284a7d6b7d796a7b70365b707d7b73487771766c367b777539"><img src="//sc1.checkpoint.com/sc1/inc/html/images/social/email.gif" alt="E-Mail Checked Point Research" /></a></li>
                <li><a href="https://research.checkpoint.com/feed"><img src="//sc1.checkpoint.com/sc1/inc/html/images/social/rss.gif" alt="RSS" /></a></li>
                <li><a href="https://twitter.com/_cpresearch_"><img src="//sc1.checkpoint.com/sc1/inc/html/images/social/twitter.gif" alt="Twitter" /></a></li>
            </ul>
        </div>
    </div>
    <div class="inc-wrapper">
        <div id="inc-logo">
            <a href="https://research.checkpoint.com/" title="Check Point Research"><img src="//sc1.checkpoint.com/sc1/inc/html/images/check-point-research-logo.gif" alt="Check Point Research" /></a>
        </div>
        <nav id="inc-nav">
            <ul class="menu">
                <li class="menu-item"><a href="https://research.checkpoint.com/category/threat-research/">Publications</a>
                    <ul class="inc-sub-menu">
                        <li><a href="https://research.checkpoint.com/category/threat-research/">Threat Research</a></li>
                        <li><a href="https://research.checkpoint.com/category/cpradio/">CPRadio</a></li>
                        <li><a href="https://research.checkpoint.com/category/threat-intelligence-reports/">Attack Reports</a></li>
                    </ul>
                </li>
                <li class="menu-item"><a href="#">Tools</a>
                    <ul class="inc-sub-menu">
                    	<li><a href="https://cpr-zero.checkpoint.com/" target="_blank">CPR Zero- Vulnerability Repository</a></li>
                    	<li><a href="https://evasions.checkpoint.com/" target="_blank">Evasion techniques Encyclopedia</a></li>
                    	<li><a href="https://anti-debug.checkpoint.com/" target="_blank">Anti-Debug Tricks</a></li>
                        <li><a href="https://threatemulation.checkpoint.com/" target="_blank">SandBlast File Analysis</a></li>
                        <li><a href="https://research.checkpoint.com/category/how-to-guides/">How-To Guides</a></li>
                        <li><a href="https://www.checkpoint.com/urlcat/" target="_blank">URL Categorization</a></li>
                        <li><a href="http://www.cpcheckme.com/checkme/" target="_blank">Instant Security Assessment</a></li>
                        <li><a href="https://threatmap.checkpoint.com/ThreatPortal/livemap.html" target="_blank">Live Threat Map</a></li>
                    </ul>
                </li>
                <li class="menu-item"><a href="https://research.checkpoint.com/about-us/">About Us</a></li>
                <li class="menu-item"><a href="https://research.checkpoint.com/contact/">Contact Us</a></li>
                <li class="menu-item"><a href="https://research.checkpoint.com/subscription/">Subscribe</a></li>
                <li class="menu-item"><a href="https://www.checkpoint.com/support-services/threatcloud-incident-response/"><img src="//research.checkpoint.com/wp-content/themes/research/img/lib/under-attack.gif" alt="Are You Under Attack?" /></a></li>
            </ul>
            <a href="#" class="mobile-menu" data-action="toggleMenu"><i class="fa fa-bars" data-action="toggleMenu"></i> MENU</a>
        </nav>
        <div id="inc-search">
            <input type="text" placeholder="Search for Research Publications, Malware Families, etc.." />
        </div>
    </div>
</header>
<div class="container" id="featured-image">
	<div class="row">
		<div class="col-md-12">
			<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2021/01/LinuxCVEs_blog_header.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />		</div>
	</div>
</div>
<div class="container main clear" id="content-container">
<div class="row">
	<div class="col-md-12" id="content">
					<article id="post-24532" class="post-24532 post type-post status-publish format-standard has-post-thumbnail hentry category-uncategorized">
				<h1>FreakOut – Leveraging Newest Vulnerabilities for creating a Botnet</h1>
				<!-- Date section -->
				<span id="post-date">
					January 19, 2021				</span>
				<!-- End Date section -->
				
<p>Research By: Omer Ventura, Ori Hamama, Network Research</p>



<h1>Introduction</h1>
<p>Recently, Check Point Research encountered several attacks that exploited multiple vulnerabilities, including some that were only recently published, to inject OS commands. The goal behind the attacks was to create an IRC botnet, which can later be used for several purposes, such as DDoS attacks or crypto-mining.</p>
<p>The attacks aim at devices that run one of the following:</p>
<ul>
<li>TerraMaster TOS(TerraMaster Operating System) &#8211; the operating system used for managing TerraMaster NAS (Network Attached Storage) servers</li>
<li>Zend Framework &#8211;  a collection of packages used in building web application and services using PHP, with more than 570 million installations</li>
<li>Liferay Portal &#8211; a free, open-source enterprise portal. It is a web application platform written in Java that offers features relevant for the development of portals and websites</li>
</ul>
<p></p>
<p><img loading="lazy" width="898" height="125" class="aligncenter size-full wp-image-24534" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure1-1.png" alt="Figure1" /></p>
<p style="text-align: center;"><strong>Figure 1: </strong>The products attacked by the campaign.</p>
<p>Each of the infected devices can be later used as an attacking platform, thus making the attack flow recursive. In a later variant, Xmrig causes the victim’s device to engage in coin-mining.</p>
<p>&nbsp;</p>
<h1>FreakOut Infection Chain</h1>
<p><img loading="lazy" width="1157" height="414" class="aligncenter size-full wp-image-24561" src="//research.checkpoint.com/wp-content/uploads/2021/01/image1.png" alt="The attack flow of the campaign" /></p>
<p style="text-align: center;"><strong>Figure 2: </strong>The attack flow of the campaign.</p>
<p>The campaign exploits these recent vulnerabilities: CVE-2020-28188, CVE-2021-3007 and CVE-2020-7961. These allow the attacker to upload and execute a Python script on the compromised servers.</p>
<p>&nbsp;</p>
<h3><strong>CVE-2020-28188</strong></h3>
<p>The vulnerability is caused by a lack of input validation in the “event” parameter in the “makecvs” PHP page (/include/makecvs.php). This allows a remote unauthenticated attacker to inject OS commands, and gain control of the servers using TerraMaster TOS (versions prior to  4.2.06).</p>
<p><img loading="lazy" width="644" height="174" class="aligncenter size-full wp-image-24538" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure3.png" alt="The attack exploiting CVE-2020-28188 as seen in the logs." data-wp-editing="1" /></p>
<p style="text-align: center;"><strong>Figure 3: </strong>The attack exploiting CVE-2020-28188 as seen in our sensors.</p>
<p>&nbsp;</p>
<h3><strong>CVE-2021-3007</strong></h3>
<p>This vulnerability is caused by the unsecured deserialization of an object. In versions higher than Zend Framework 3.0.0, the attacker abuses the Zend3 feature that loads classes from objects in order to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array.</p>
<p><img loading="lazy" width="862" height="294" class="aligncenter size-full wp-image-24539" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure4.png" alt="The attack exploiting CVE-2021-3007 as seen in the logs." /></p>
<p style="text-align: center;"><strong>Figure 4: </strong>The attack exploiting CVE-2021-3007 as seen in our sesnors.</p>
<p>&nbsp;</p>
<h3><strong>CVE-2020-7961</strong></h3>
<p>The vulnerability is a Java unmarshalling vulnerability via JSONWS in Liferay Portal (in versions prior to 7.2.1 CE GA2). Marshalling, which is similar to serialization, is used for communication with remote objects, in our case with a serialized object. Exploiting the vulnerability lets the attacker provide a malicious object, that when unmarshalled, allows remote code execution.</p>
<p><img loading="lazy" width="987" height="332" class="aligncenter size-full wp-image-24541" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure5.png" alt="" /></p>
<p style="text-align: center;"><strong>Figure 5: </strong>The attack exploiting CVE-2020-7961 as seen in our sensors.</p>
<p>In all the attacks involving these CVEs, the attacker’s first move is to try running different syntaxes of OS commands to download and execute a Python script named “out.py”.<br />After the script is downloaded and given permissions (using the “chmod” command), the attacker tries to run it using Python 2. Python 2 reached EOL (end-of-life) last year, meaning the attacker assumes the victim’s device has this deprecated product installed.</p>
<h1> </h1>
<h1>The Python Code – out.py</h1>
<p>The malware, downloaded from the site https://gxbrowser[.]net, is an obfuscated Python script consisting of polymorphic code. Many of the function names remain the same in each download, but there are multiple functions that are obfuscated using random strings generated by a packing function. The first attack trying to download the file was observed on January 8, 2021. Since then, hundreds of download requests from the relevant URL were made.</p>
<p><img loading="lazy" width="1786" height="984" class="aligncenter size-full wp-image-24542" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure6.png" alt="The __init__ function of the main class of the code “out.py”. The code is obfuscated and encoded with several different functions. Each time it is downloaded, the code is obfuscated anew. differently." /></p>
<p style="text-align: center;"><strong>Figure 6: </strong>The <em>__init__</em> function of the main class of the code <em>“out.py”. </em>The code is obfuscated and encoded with several different functions. Each time it is downloaded, the code is obfuscated anew. differently.</p>
<p>&nbsp;</p>
<p>When we searched for the relevant domain and file in VirusTotal (VT), we found other codes called “out.py”. <br />These files were uploaded only a few hours before the attacks began, and had low scores of detections by the AVs presented in VirusTotal. All the files originated from the same domain, hxxp://gxbrowser[.]net, as this address is hardcoded in all scripts and is the only address that appears.</p>
<p><img loading="lazy" width="918" height="170" class="aligncenter size-full wp-image-24543" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure7.png" alt="Other codes related to the domain and IP.  Both are Python-based although the second is classified as Java." /></p>
<p style="text-align: center;"><strong>Figure 7: </strong>Other codes related to the domain and IP. Both are Python-based although the second is classified as Java.</p>
<p>When we examined the first variation uploaded to VT (the third one in Fig.7) with our script, and compared the codes and their functions, it seemed to be a slightly earlier version of the code.</p>
<p><img loading="lazy" width="1784" height="494" class="aligncenter size-full wp-image-24562" src="//research.checkpoint.com/wp-content/uploads/2021/01/figure8-with_colors-1.png" alt="Comparing the different files. They have some similarities in function names and comments that shed some light on the more obfuscated code." /></p>
<p style="text-align: center;"><strong>Figure 8: </strong>Comparing the different files. They have some similarities in function names and comments that shed some light on the more obfuscated code.</p>
<p>The code itself is less obfuscated, includes comments, and seems to be related to our attacker.</p>
<p><img loading="lazy" width="1793" height="758" class="aligncenter size-full wp-image-24545" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure9.png" alt="Figure 9: An earlier version of the same function presented in Fig.3. This time it contained developer comments revealing some of the variables’ purposes." /></p>
<p style="text-align: center;"><strong>Figure 9: </strong>An earlier version of the same function presented in Fig.6. This time it contained developer comments revealing some of the variables’ purposes.</p>
<p>In addition, in this version, the attacker left a calling card with relevant information, including the code developer’s name and an update that took place on January 1, 2021. All this information was omitted in the version we studied</p>
<p><img loading="lazy" width="892" height="252" class="aligncenter size-full wp-image-24546" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure10.png" alt="A calling card left in the earlier version of the code" /></p>
<p style="text-align: center;"><strong>Figure 10: </strong>A calling card left in the earlier version of the code.</p>
<p>Comparing the two codes and the different comments helped reveal the code communication methods, the capabilities and the threat actor behind it.</p>
<p>&nbsp;</p>
<h1>The Malware Capabilities</h1>
<p>At this point, the facilities and capabilities of the malware became clearer.</p>
<p>There is a specific function for each of the main capabilities, making the code very modular and easy to change or maintain:</p>
<ul>
<li>Port Scanning utility</li>
<li>Collecting system fingerprint
<ul>
<li>Includes the device address (MAC, IP), and memory information. These are used in different functions of the code for different checks</li>
<li>TerraMaster TOS version of the system</li>
</ul>
</li>
<li>Creating and sending packets
<ul>
<li>ARP poisoning for Man-in-the-Middle attacks.</li>
<li>Supports UDP and TCP packets, but also application layer protocols such as HTTP, DNS, SSDP, and SNMP</li>
<li>Protocol packing support created by the attacker.</li>
</ul>
</li>
<li>Brute Force &#8211; using hard coded credentials 
<ul>
<li>With this list, the malware tries connecting to other network devices using Telnet. The function receives an IP range and tries to brute force each IP with the given credential. If it succeeds, the results of the correct credential are saved to a file, and sent in a message to the C2 server</li>
</ul>
</li>
<li>Handling sockets
<ul>
<li>Includes handling exceptions of runtime errors.</li>
<li>Supports multi-threaded communication to other devices. This allows simultaneous actions the bots can perform while listening to the server</li>
</ul>
</li>
<li>Sniffing the network
<ul>
<li>Executes using the “ARP poisoning” capability. The bot sets itself as a Man-in-the-Middle to other devices. The intercepted data is sent to the C2 server</li>
</ul>
</li>
<li>Spreading to different devices, using the “exploit” function.
<ul>
<li>Randomly generates the IPs to attack</li>
<li>Exploits the CVEs mentioned above (CVE-2020-7961 , CVE-2020-28188, CVE-2021-3007)</li>
</ul>
</li>
<li>Gaining persistence by adding itself to the rc.local configuration.</li>
<li>DDOS and Flooding – HTTP, DNS, SYN
<ul>
<li>Self-implementation of Slowlaris. The malware creates many sockets to a relevant victim address for the purpose of instigating a DDoS attack</li>
</ul>
</li>
<li>Opening a reverse-shell – shell on the client</li>
<li>Killing a process by name or ID</li>
<li>Packing and unpacking the code using obfuscation techniques to provide random names to the different functions and variables</li>
</ul>
<p><img loading="lazy" width="1022" height="676" class="aligncenter size-full wp-image-24547" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure11.png" alt="Part of the function exploit, which is responsible for the spreading attempts. Exploits CVE-2020-7961, CVE-2020-28188 and CVE-2021-3007, after clarification." /></p>
<p style="text-align: center;"><strong>Figure 11: </strong>Part of the function <em>exploit</em>, which is responsible for the spreading attempts. Exploits CVE-2020-7961, CVE-2020-28188 and CVE-2021-3007, after clarification.</p>
<p>&nbsp;</p>
<h1>The Malware’s Communication</h1>
<p><!-- /wp:paragraph --></p>
<p>Each infected device is configured to communicate with a hardcoded C2 server. All the connection credentials are obfuscated and encoded in the code itself multiple times, and are generated using multiple functions.</p>
<p>At the initial connection to the server, the conversation begins with the client sending a “NICK message”, which declares the user nickname. The nickname is generated with this format:</p>
<p><strong>[HAX|<strong style="color: red;">System OS</strong>|<strong style="color: green;">Machine Type</strong>|<strong style="color: blue;">CPU count</strong>] <strong style="color: purple;">8-12 random letters</strong></strong></p>
<p>An example of the bot nickname as created by the script:</p>
<p><strong>[HAX|<strong style="color: red;">Linux</strong>|<strong style="color: green;">x86_64</strong>|<strong style="color: blue;">3</strong>] <strong style="color: purple;">QCRjbbnQm</strong></strong></p>
<p>After declaring the nickname of the client, the client sends the username, which is the nickname plus the IRC address and the string “localhost  :”, followed by the bot nickname. When the server accepts this message, the communication begins.</p>
<p>Following a quick back and forth set of Ping-Pong messages, the server provides the client server information about the channels. Then, one minute later, the client can join channels on the server.</p>
<p>In FreakOut, the relevant channel was “#update” on the server “gxbrowser[.]net”.  The user must provide a channel key, used as a password, to connect to the channel. The key can be extracted from the code, and is equal to the string “N3Wm3W”.</p>
<p><img loading="lazy" width="770" height="469" class="aligncenter size-full wp-image-24548" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure12.png" alt="Communication with the server. Initiates the conversation with the relevant messages." /></p>
<p style="text-align: center;"><strong>Figure 12: </strong>Communication with the server. Initiates the conversation with the relevant messages.</p>
<p>The client can now be used as a part of a botnet campaign and accepts command messages from the server to execute. The commands are sent using a symbols-based communication. Each message sent by the server is parsed and split into different symbols, with each one having a different meaning.</p>
<p>Every message includes the command name (i.e: udpflood, synflood) and the rest of the arguments change accordingly. When the client finishes executing the relevant command as received from C2, it then sends the results in a private message (PRIVMSG IRC command) to the relevant admin in the channel, providing it with relevant details.</p>
<p><img loading="lazy" width="812" height="680" class="aligncenter size-full wp-image-24549" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure13.png" alt="Communication with the server. The server accepts commands in the format mentioned above. " /></p>
<p style="text-align: center;"><strong>Figure 13: </strong>Communication with the server. The server accepts commands in the format mentioned above.</p>
<h1> </h1>
<h1>The Impact</h1>
<p>Based on the malware features, it seems that the attacker can use the compromised systems for further attacks, such as using the system resources for crypto-mining, spreading laterally across the company network, or launching attacks on outside targets while masquerading as the compromised company. We revealed further information about FreakOut when we used the algorithm-created credentials to connect to the server. After logging in, additional server information is provided to the client, including the room’s capacity, the users connected and even operators and unknown connections.</p>
<p><img loading="lazy" width="906" height="591" class="aligncenter size-full wp-image-24550" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure14.png" alt="After logging in, more information is provided about the server." /></p>
<p style="text-align: center;"><strong>Figure 14: </strong>After logging in, more information is provided about the server.</p>
<p>The server was created in late November 2020 and has been running ever since with 300 current users and 5 channels. Exploring the different channels revealed a very active one, called #update. This channel includes 186 exploited devices communicating with the server, as seen in the messages exchanged between the IRC server and the client, and in the channel page:</p>
<p><img loading="lazy" class="aligncenter  wp-image-24551" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure15a.png" alt="" width="612" height="534" /><img loading="lazy" class="aligncenter  wp-image-24552" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure15b.png" alt="" width="612" height="215" /></p>
<p style="text-align: center;"><strong>Figure 15: </strong>The #update channel, as seen in the IRC communication with the malware and in the IRC channel surfed through a web interface.</p>
<p>We observed two additional channels called “opers” (which probably stands for operators as we have seen the server admin there), and “andpwnz”. The network name of the server is called “Keknet”. Due to the fact the file was updated and released in January 2021, we believe this scale was reached <u>in less than a week</u>. Therefore, we can assume that this campaign will ratchet up to higher levels in the near future.</p>
<h1> </h1>
<h1>Threat Actors</h1>
<p>To identify the threat actors responsible for the attacks, we searched for leads in the internet and social media.  Searching for both the code author, who goes by the name “Freak” (which we have also seen in the IRC server channels) and the IRC bot name “N3Cr0m0rPh”, revealed information about the threat actor behind the campaign.</p>
<p>In a post published on HackForums back in 2015, submitted by the user “Fl0urite” with the title “N3Cr0m0rPh Polymorphic IRC BOT”, the bot is offered for sale in exchange for BitCoins (BTC). This bot seem to have many of the same capabilities as the current one, and the same description as the current bot in the calling card. However, some of the features were omitted over the years, such as the USB worm and the regedit ability.</p>
<p>&nbsp;</p>
<p><img loading="lazy" width="1036" height="753" class="aligncenter size-full wp-image-24553" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure16.png" alt="The post submitted by “Fl0urite” back in 2015. The name of the IRC bot is the same, with many similar capabilities. " /></p>
<p style="text-align: center;"><strong>Figure 16: </strong>The post submitted by “Fl0urite” back in 2015. The name of the IRC bot is the same, with many similar capabilities.</p>
<p>The name “Fl0urite” is mentioned in other hacking forums and GitHub, and is associated with multiple pieces of code which can be found on these sites that resemble the current malware code functions.</p>
<p>As mentioned previously, “<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="57112532363c17073827223b22241438392325383b">[email&#160;protected]</a>” appears to be the author of  the latest code version. When we searched for these strings, we found several results, including an earlier version of the malware code (V6). In this version, however, the author left a comment, explaining the code is a free tool and that redistribution is allowed.</p>
<p><img loading="lazy" class="aligncenter  wp-image-24563" src="//research.checkpoint.com/wp-content/uploads/2021/01/1.png" alt="V6" width="823" height="540" /></p>
<p style="text-align: center;"><strong>Figure 17:</strong> Version 6 of the code.</p>
<p>As mentioned previously,  the admin in the IRC channel is also called “Freak.”</p>
<p><img loading="lazy" width="807" height="87" class="aligncenter size-full wp-image-24556" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure18.png" alt="The user “Freak” joins and leaves the #update channel on the server. " /></p>
<p style="text-align: center;"><strong>Figure 18:</strong> The user “Freak” joins and leaves the #update channel on the server.</p>
<p>In early 2015 codes found on Pastebin , that were uploaded by the user “Keksec”, there seems to be a link between the two identities “Fl0urite” and “Freak” in several files. In addition, there is a link to the user “Fl0urite” on HackForums in these files signed by “Freak.” The other files uploaded by the user are signed with the exact string “<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cb8db9aeaaa08b9ba4bbbea7beb888a4a5bfb9a4a7">[email&#160;protected]</a> (aka sudoer)” that seems to be associated with the malware functions as well. Based on this evidence, we conclude that both identities belong to the same person.</p>
<p>In the Pastebin, there are also files that were uploaded recently (January 12, 2021).</p>
<p><img loading="lazy" width="909" height="681" class="aligncenter size-full wp-image-24557" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure1920.png" alt="Files uploaded to Pastebin.  The author presents himself as Freak/Fl0urite. The address is related to the user “Fl0urite” in HackForums, while later files uploaded are signed only with “Freak@PopulousControl.”" /></p>
<p style="text-align: center;"><strong>Figure 19-20:</strong> Files uploaded to Pastebin. The author presents himself as Freak/Fl0urite. The address is related to the user “Fl0urite” in Hack Forums, while later files uploaded are signed only with “<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="27615542464c67774857524b4852546448495355484b09">[email&#160;protected]</a>”</p>
<p>The URL of the site gxbrowser[.]net reveals the following page:</p>
<p><img loading="lazy" width="1446" height="667" class="aligncenter size-full wp-image-24558" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure21.png" alt="The index page of gxbrowser[.]net" /></p>
<p style="text-align: center;"><strong>Figure 21: </strong>The index page of gxbrowser[.]net</p>
<p>The page has the names “keksec” and “Freak” which were observed in the Pastebin files, and is also associated with the name “Keknet” seen in the IRC server.</p>
<p>Currently, it seems that “Freak” is using it to create a botnet.</p>
<p>On VT, and on the relevant Pastebin mentioned previously, there are other files related to the domain such as Crypto-mining malwares. In the latest code downloaded (January 12, 2021), it seems that the malware tries to exploit the vulnerabilities to install the Xmrig from the server hxxp://gxbrowser[.]net.</p>
<p><img loading="lazy" width="889" height="188" class="aligncenter size-full wp-image-24559" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure22.png" alt="Exploit function in the newest edition of the script – clarified. The file “xmrig1” is also downloaded." /></p>
<p style="text-align: center;"><strong>Figure 22: </strong>The file xmrig1 on the server gxbrowser[.]net</p>
<p>&nbsp;</p>
<p><img loading="lazy" width="899" height="378" class="aligncenter size-full wp-image-24560" src="//research.checkpoint.com/wp-content/uploads/2021/01/Figure23.png" alt="Exploit function in the newest edition of the script – clarified. The file “xmrig1” is also downloaded." /></p>
<p style="text-align: center;"><strong>Figure 23: </strong>Exploit function in the newest edition of the script – clarified. The file “xmrig1” is also downloaded.</p>
<h1> </h1>
<h1>Conclusion</h1>
<p>FreakOut is an attack campaign that utilizes three vulnerabilities, including some newly released, to compromise different servers. The threat actor behind the attack, named “Freak”, managed to infect many devices in a short period of time, and incorporated them into a botnet, which in turn is used for DDoS attacks and crypto-mining. Such attack campaigns highlight the importance of taking sufficient precautions and updating your security protections on a regular basis. As we have observed, this is an ongoing campaign that can spread rapidly.</p>
<p>&nbsp;</p>
<h1>MITRE ATT&amp;CK TECHNIQUES</h1>
<table width="500">
<tbody style="font-size: 13.5px;">
<tr>
<td style="font-size: 12.5px;" width="45">
<p style="font-size: 12.5px; text-align: center;"><a href="https://attack.mitre.org/tactics/TA0001"><strong>Initial Access</strong></a></p>
</td>
<td style="text-align: center;" width="49">
<p style="font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0011/"><strong>Resource Development</strong></a></p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0002"><strong>Execution</strong></a></p>
</td>
<td style="text-align: center;" width="66">
<p style="font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0003"><strong>Persistence</strong></a></p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0004"><strong>Privilege Escalation</strong></a></p>
</td>
<td style="text-align: center;" width="51">
<p style="font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0005"><strong>Defense Evasion</strong></a></p>
</td>
<td style="text-align: center;" width="53">
<p style="font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0006"><strong>Credential Access</strong></a></p>
</td>
<td style="text-align: center;" width="56">
<p style="text-align: center; font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0007/"><strong>Discovery</strong></a></p>
</td>
<td style="text-align: center;" width="56">
<p style="text-align: center; font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0008"><strong>Lateral Movement</strong></a></p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0009"><strong>Collection</strong></a></p>
</td>
<td style="text-align: center;" width="57">
<p style="text-align: center; font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0011/"><strong>Command and Control</strong></a></p>
</td>
<td style="text-align: center;" width="57">
<p style="text-align: center; font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0010"><strong>Exfiltration</strong></a></p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"><a href="https://attack.mitre.org/tactics/TA0040"><strong>Impact</strong></a></p>
</td>
</tr>
<tr>
<td width="45">
<p style="text-align: center; font-size: 12.5px;">Exploit Public-Facing Application (T1190)</p>
</td>
<td style="text-align: center;" width="49">
<p style="font-size: 12.5px;">Acquire infrastructure: Domains (T1583/003)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;">Exploitation for Client Execution (T1203)</p>
</td>
<td style="text-align: center;" width="66">
<p style="font-size: 12.5px;">Event Triggered Execution: .bash_profile and .bashrc (T1546/004)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;">Event Triggered Execution: .bash_profile and .bashrc (T1546/004)</p>
</td>
<td style="text-align: center;" width="51">
<p style="font-size: 12.5px;">Deobfuscate/Decode Files or Information (T1140)</p>
</td>
<td style="text-align: center;" width="53">
<p style="font-size: 12.5px;">Brute Force (T1110)</p>
</td>
<td style="text-align: center;" width="56">
<p style="font-size: 12.5px;">Network Service Scanning (T1046)</p>
</td>
<td style="text-align: center;" width="56">
<p style="font-size: 12.5px;">Remote Services (T1021)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;">Network Sniffing (T1040)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;">Application Layer Protocol (T1071)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;">Exfiltration over C2 Channel (T1041)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;">Network Denial of Service Direct Network Flood (T1498/001)</p>
</td>
</tr>
<tr>
<td width="45">
<p style="text-align: center; font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="49">
<p style="font-size: 12.5px;">Compromise Infrastructure: Botnet (T1584/005)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;">Command and Scripting Interpreter (T1059)</p>
</td>
<td style="text-align: center;" width="66">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="51">
<p style="font-size: 12.5px;">File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (T1222/002)</p>
</td>
<td style="text-align: center;" width="53">
<p style="font-size: 12.5px;">Man-in-the-Middle: ARP Cache Poisoning (T1557/002)</p>
</td>
<td style="text-align: center;" width="56">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="56">
<p style="font-size: 12.5px;">Exploitation of Remote Services (T1210)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;">Data Staged: Local Data Staging (T1074/001)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;">Application Layer Protocol: Web Protocols (T1071/001)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"> </p>
</td>
<td width="57">
<p style="text-align: center; font-size: 12.5px;">Network Denial of Service Reflection Amplification (T1498/002)</p>
</td>
</tr>
<tr>
<td width="45">
<p style="text-align: center; font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="49">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="57">
<p style="text-align: center; font-size: 12.5px;">Command and Scripting Interpreter: Python (T1059/006)</p>
</td>
<td style="text-align: center;" width="66">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="51">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="53">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="56">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="56">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="57">
<p style="text-align: center; font-size: 12.5px;">Application Layer Protocol: DNS (T1071/004)</p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"> </p>
</td>
<td width="57">
<p style="text-align: center; font-size: 12.5px;">Resource Hijacking (T1496)</p>
</td>
</tr>
<tr>
<td width="45">
<p style="text-align: center; font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="49">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="57">
<p style="text-align: center; font-size: 12.5px;">Command and Scripting Interpreter: Unix Shell (T1059/004)</p>
</td>
<td style="text-align: center;" width="66">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="51">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="53">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="56">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="56">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="57">
<p style="font-size: 12.5px;"> </p>
</td>
<td style="text-align: center;" width="57">
<p style="text-align: center; font-size: 12.5px;">Data encoding (T1132)</p>
</td>
<td style="text-align: center;" width="57">
<p style="text-align: center; font-size: 12.5px;"> </p>
</td>
<td width="57">
<p style="text-align: center; font-size: 12.5px;"> </p>
</td>
</tr>
<tr>
<td style="text-align: center;" width="45">
<p style="font-size: 12.5px;"> </p>
</td>
<td width="49">
<p style="font-size: 12.5px;"> </p>
</td>
<td width="57">
<p style="font-size: 12.5px;"> </p>
</td>
<td width="66">
<p style="font-size: 12.5px;"> </p>
</td>
<td width="57">
<p style="font-size: 12.5px;"> </p>
</td>
<td width="51">
<p style="font-size: 12.5px;"> </p>
</td>
<td width="53">
<pre> </pre>
</td>
<td width="56">
<pre> </pre>
</td>
<td width="56">
<pre> </pre>
</td>
<td width="57">
<pre> </pre>
</td>
<td width="57">
<p style="text-align: center; font-size: 12.5px;">Data Obfuscation (T1001)</p>
</td>
<td width="57">
<pre> </pre>
</td>
<td width="57">
<pre style="text-align: center;"> </pre>
</td>
</tr>
</tbody>
</table>
<p>&nbsp;</p>
<h1>Protections</h1>
<p>Check Point customers are protected by these protections:</p>
<h4><u>IPS</u></h4>
<ul>
<li>TerraMaster TOS Command Injection (CVE-2020-28188).</li>
<li>Liferay Portal Insecure Deserialization (CVE-2020-7961).</li>
<li>Zend Framework Remote Code Execution (CVE-2021-3007).</li>
<li>CMD Injection Over HTTP</li>
</ul>
<h4><u>Anti-Bot</u></h4>
<ul>
<li>Win32.IRC.G</li>
<li>N3Cr0m0rPh.TC.a</li>
<li>Win32.N3Cr0m0rPh.TC.a</li>
<li>Win32.N3Cr0m0rPh.TC.b</li>
<li>Win32.N3Cr0m0rPh.TC.c</li>
<li>Win32.N3Cr0m0rPh.TC.d</li>
</ul>
<h1> </h1>
<h1>IOCs</h1>
<ul>
<li>hxxp://gxbrowser[.]net</li>
<li>7c7273d0ac2aaba3116c3021530c1c868dc848b6fdd2aafa1deecac216131779 – out.py (less obfuscated)</li>
<li>05908f2a1325c130e3a877a32dfdf1c9596d156d031d0eaa54473fe342206a65 – out.py (more obfuscated)</li>
<li>ac4f2e74a7b90b772afb920f10b789415355451c79b3ed359ccad1976c1857a8 – out.py (including the xmrig1 installation)</li>
<li>ac6818140883e0f8bf5cef9b5f965861ff64cebfe181ff025e1f0aee9c72506cOut – xmrig1</li>
</ul>
<p>&nbsp;</p>
<h1>References</h1>
<ul>
<li>https://kiwiirc.com/</li>
</ul>							</article>
						<div id="related">
			<h2>Related Articles</h2>
			<!-- Flickity HTML init -->
			<div class="carousel" data-flickity='{ "groupCells": true, "pageDots": false, "wrapAround": true }'>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2021/phorpiex-botnet-is-back-with-a-new-twizt-hijacking-hundreds-of-crypto-transactions/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2021/12/BotnetMaliciousWallet_header.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2021/04/WormableWhatsApp_blog_header.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2020/vulnerability-in-google-play-core-library-remains-unpatched-in-google-play-applications/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2020/12/GooglePlayBanner-Social-1021x580B.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>Vulnerability in Google Play Core Library Remains Unpatched in Google Play Applications</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2020/graphology-of-an-exploit-volodya/">
						<img width="1078" height="520" src="//research.checkpoint.com/wp-content/uploads/2020/09/graphology_of_an_exploit.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>Graphology of an Exploit &#8211; Hunting for exploits by looking for the author&#8217;s fingerprints</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2020/amazons-alexa-hacked/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2020/08/AlexaHacked_blog_header-1.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>Keeping the gate locked on your IoT devices: Vulnerabilities found on Amazon&#8217;s Alexa</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2020/07/GooglePlayBanner-Social-1021x580B.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>New Joker variant hits Google Play with an old trick</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2020/apache-guacamole-rce/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2020/06/Guacamole_CPR_FINAL-F-1021x580-3.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>Would you like some RCE with your Guacamole?</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2020/02/CheckPointResearchTurkishRat_blog_header.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2020/remote-cloud-execution-critical-vulnerabilities-in-azure-cloud-infrastructure-part-i/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2020/01/CheckPointResearchAzureStack_blog_header-FINAL-1.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>Remote Cloud Execution &#8211; Critical Vulnerabilities in Azure Cloud Infrastructure (Part I)</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2019/canadian-banks-targeted-in-a-massive-phishing-campaign/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2019/12/PhishingCanadianBanks_blog_1021x580-1.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>Canadian banks targeted in a massive phishing campaign</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2021/20th-december-threat-intelligence-report/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2020/05/ThreatIntelligenceBulletin.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>20th December – Threat Intelligence Report</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2021/stealthloader-malware-leveraging-log4shell/">
						<img width="1200" height="628" src="//research.checkpoint.com/wp-content/uploads/2021/11/CPR_Bank_1200x628.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>StealthLoader Malware Leveraging Log4Shell</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2021/the-laconic-log4shell-faq/">
						<img width="1200" height="628" src="//research.checkpoint.com/wp-content/uploads/2020/01/Social_1200x628_v3AutoIt.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>The Laconic Log4Shell FAQ</h3>
					</a>
				</div>
							<div class="carousel-cell">
					<a href="//research.checkpoint.com/2021/13th-december-threat-intelligence-report/">
						<img width="1021" height="580" src="//research.checkpoint.com/wp-content/uploads/2020/05/ThreatIntelligenceBulletin.jpg" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="" loading="lazy" />						<h3>13th December – Threat Intelligence Report</h3>
					</a>
				</div>
						</div>
		</div>
	</div>
	<!-- <div class="col-md-4" id="sidebar">
		<div id="custom_html-3" class="widget_text widget_custom_html"><h3>Check Point Blog</h3><div class="textwidget custom-html-widget"><ul>
<li><a class="rsswidget" href="https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/">Achilles: Small chip, big peril.</a></li>
<li><a class="rsswidget" href="https://blog.checkpoint.com/2020/07/21/how-scammers-are-hiding-their-phishing-trips-in-public-clouds/">How scammers are hiding their phishing trips in public clouds</a></li>
<li><a class="rsswidget" href="https://blog.checkpoint.com/2020/07/16/fixing-the-zoom-vanity-clause-check-point-and-zoom-collaborate-to-fix-vanity-url-issue/">Fixing the Zoom ‘Vanity Clause’ – Check Point and Zoom collaborate to fix Vanity URL issue</a></li>
<li><a class="rsswidget" href="https://blog.checkpoint.com/2020/07/03/nexus-zeta-from-suspicious-alerts-to-conviction/">Nexus Zeta – From Suspicious Alerts to Conviction</a></li>
<li><a class="rsswidget" href="https://blog.checkpoint.com/2020/06/25/as-organizations-get-back-to-business-cyber-criminals-look-for-new-angles-to-exploit/">As organizations get back to business, cyber criminals look for new angles to exploit</a></li>
</ul></div></div>	</div> -->
</div>
<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script type="text/javascript" src="//platform-api.sharethis.com/js/sharethis.js#property=5a3031770f16c70012a3c297&product=sticky-share-buttons"></script>
</div>
<footer id="inc-footer">
    <div class="inc-wrapper">
        <div class="inc-footer-col">
            <span class="inc-footer-title">Publications</span>
            <ul>
                <li><a href="https://research.checkpoint.com/category/threat-intelligence-reports/">GLOBAL CYBER ATTACK REPORTS</a></li>
                <li><a href="https://research.checkpoint.com/category/threat-research/">RESEARCH PUBLICATIONS</a></li>
                <li><a href="https://www.checkpoint.com/advisories/">IPS ADVISORIES</a></li>
                <li><a href="http://blog.checkpoint.com/">CHECK POINT BLOG</a></li>
                <li><a href="https://research.checkpoint.com/category/demos/">DEMOS</a></li>
            </ul>
        </div>
        <div class="inc-footer-col">
            <span class="inc-footer-title">Tools</span>
            <ul>
                <li><a href="https://threatemulation.checkpoint.com/">SANDBLAST FILE ANALYSIS</a></li>
                <li><a href="https://www.checkpoint.com/urlcat/">URL CATEGORIZATION</a></li>
                <li><a href="http://www.cpcheckme.com/checkme/">INSTANT SECURITY ASSESSMENT</a></li>
                <li><a href="https://threatmap.checkpoint.com/ThreatPortal/livemap.html">LIVE THREAT MAP</a></li>
            </ul>
        </div>
        <div class="inc-footer-col">
            <a href="https://research.checkpoint.com/about-us/" class="inc-footer-title">About Us</a>
        </div>
        <div class="inc-footer-col">
            <a href="https://research.checkpoint.com/contact/" class="inc-footer-title">Contact Us</a>
        </div>
        <div class="inc-footer-col">
            <a href="https://research.checkpoint.com/subscription/" class="inc-footer-title">Subscribe</a>
        </div>
        <p id="inc-footer-copyright">&copy; 1994<script>new Date().getFullYear()>1994&&document.write("-"+new Date().getFullYear());</script> Check Point Software Technologies LTD. All rights reserved. <br />Property of <a href="https://www.checkpoint.com/">CheckPoint.com</a> | <a href="https://research.checkpoint.com/privacy-policy/">Privacy Policy</a></p>
    </div>
</footer>

<!-- Modal pop_over -->
<div class="modal fade" id="pop_over" tabindex="-1" role="dialog" aria-labelledby="exampleModalLabel" aria-hidden="true">
    <div class="modal-dialog" role="document">
        <div class="modal-content">
            <div class="modal-body" style="padding: 0 1rem 1rem;">
                <button id="pop_close" type="button" class="close" data-dismiss="modal" aria-label="Close">
                    <span aria-hidden="true">&times;</span>
                </button>
                <a href="https://bit.ly/2Pmx8R2" target="_blank"><img src="/wp-content/uploads/2018/11/CfP_1021x580_A.jpg" style="max-height: 290px;" alt="Call For Papers"></a>
            </div>
        </div>
    </div>
</div>

<script type='text/javascript' src='https://research.checkpoint.com/wp-content/plugins/enlighter/cache/enlighterjs.min.js?ver=TJ0/7+iAWMKbDKS' id='enlighterjs-js'></script>
<script type='text/javascript' id='enlighterjs-js-after'>
!function(e,n){if("undefined"!=typeof EnlighterJS){var o={"selectors":{"block":"pre.EnlighterJSRAW","inline":"code.EnlighterJSRAW"},"options":{"indent":4,"ampersandCleanup":true,"linehover":true,"rawcodeDbclick":false,"textOverflow":"break","linenumbers":true,"theme":"enlighter","language":"enlighter","retainCssClasses":false,"collapse":false,"toolbarOuter":"","toolbarTop":"{BTN_RAW}{BTN_COPY}{BTN_WINDOW}{BTN_WEBSITE}","toolbarBottom":""}};(e.EnlighterJSINIT=function(){EnlighterJS.init(o.selectors.block,o.selectors.inline,o.options)})()}else{(n&&(n.error||n.log)||function(){})("Error: EnlighterJS resources not loaded yet!")}}(window,console);
</script>
<script type='text/javascript' src='https://cdn.onesignal.com/sdks/OneSignalSDK.js?ver=5.8.2' async='async' id='remote_sdk-js'></script>
</body>
</html>
